What is app wrapping? One way to more secure mobile apps

As part of a mobile application management strategy, app wrapping allows developers and administrators to apply security enforcement policies to a mobile app without changing its look or functionality.

App wrapping -- the process of applying security policies to a mobile application such as email or a custom-built business app -- can help protect corporate data without changing an app's looks or functionality.

Once the technology is in place, app wrappers enable administrators to set policies that allow employees with corporate-owned or personal mobile devices to safely download an app, typically from an internal store.

As more companies deploy an over-arching enterprise mobility management (EMM) strategy, ensuring that sensitive corporate data isn't compromised by employees' mobile apps is paramount, because apps are increasingly targeted by cybercriminals as a window into backend systems.

Today, about 44% of mid-size to large businesses have rolled out EMM software, according to a survey of 500 IT users by market researcher IDC. Of those businesses, about 60% have deployed some level of mobile application management and its app-wrapping technology subset, the survey showed.

Typically, app wrapping is performed through the use of an SDK from an app or EMM vendor that allows a developer or admin to deploy an API that enables management policies to be set up. For example, an app-wrapping API would allow an admin to control who can download a mobile app and whether corporate data accessed by that app can be copied and pasted.

App wrapping can be applied during internal development of software or after the fact to off-the-shelf software purchases simply by adding executable code via the SDK.

Most app-wrapping capabilities are available natively on EMM software from vendors such as VMware's AirWatch, Box or MobileIron. While some EMM vendors such as Apperian, claim to be able to add app wrapping to virtually any software, "typically, app developers have to expose code through an API and make it wrappable that way," said Phil Hockmuth, program director for enterprise mobility research at IDC.

The disadvantage with that approach is two-fold, according to Joseph Razavian, senior manager for technology alliances in end-user computing at VMware.

First, a vendor like Box will have to make several iterations of its application to support the various SDKs, or app-wrapping engines, in use; secondly, users can get confused as to which app they need to download -- for example, Box for VMware AirWatch or Box for MobileIron, Razavian said.

Last year, VMware joined forces with several EMM vendors to launch the AppConfig Community, an industry consortium working toward standardization.

"Our joint mission is simple: to make enterprise app configuration and security less complicated for developers by expanding the use of OS-native standards. In doing so, we're collectively accelerating mobile deployments for the enterprise," Razavian said.

A year after launching, the AppConfig Community membership has grown from 60 to 90 independent software vendors, from four to 19 EMM providers, from 160 to more than 1,400 individual developers and from one to two operating systems (iOS at launch and Android since May 2016). The groups plans to expand to Windows, as well.

"[The] AppConfig Community is focused on the developer, so as more and more developers start building modern apps on Windows 10 and beyond, we will develop and promote best practices for the platform," Razavian said. "The same holds for future OS platforms.

"With all that being said, the AppConfig Community does not completely replace EMM-specific SDKs and wrappers. Native frameworks are very powerful, but SDKs can fill the gap between the security use cases of the enterprise and the current capabilities of those native OS frameworks," he said. "This is always a moving target."

A complicating factor is the current trend toward native control of apps through mobile OSes, such as Apple's iOS and Android. Recent versions of iOS, for example, allow app-level controls such as data loss prevention and secure access without requiring app wrapping code or software development kits. Management policies for iOS or Android, however, are still configured via an EMM platform, according to Phil Hochmuth, program director for IDC's Enterprise Mobility team.

"EMM platforms will still be the connector or trigger point for creating and managing the policies around the apps, but the execution will be done via the operating system as opposed [to] special code injected into the app," Hochmuth said.

For example, the ability to wipe an app from a mobile device or turn off copy and paste will still be controlled through an EMM console -- not through the application itself.

One of the most widely used mobile application platforms, Microsoft's Office 365, also presents its own unique set of problems with regard to management. In the past, Office 365 didn't allow application management via third-party EMM consoles; that functionality was available only through its InTune cloud-based management service.

"They had a lockout position on that," Hochmuth said. "That was a major drawback."

Earlier this year, however, Microsoft issued APIs to allow some third-party EMM software to handle policy enforcement on Office 365 apps, but it still requires a purchased license for InTune as the bridge, Hochmuth said.

"Microsoft customers were asking for it, and I still think customers will be pushing toward that over time," he said.

"I think where the market is going longer term is more toward native controls for apps and operating systems," Hochmuth continued. "A lot of that has to do with the AppConfig Community. Many app developers, like SAP, Oracle and Box, are moving toward the initiative to make mobile app controls and security more native based -- so [that would mean] using the native functions in iOS and Android to apply security controls."

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.